vCenter Server 5.5 Update 2d | 27 JAN 2015 | Build 2442329
VMware ESXi™ 5.5 Update 3b | 8 DEC 2015 | 3248547
VMware Product Interoperability Matrixes says that vCenter Server 5.5u2 is a valid combo with ESXi 5.5U3.
The patch for ESXi 5.5u3b / build 3248547 disables SSLv3 (to remediate POODLE SSL vulnerability). VMware ESXi 5.5 Update 3b Release Notes
i found that after applying the patch to an ESXi host and rebooting it, vCenter could not reconnect the host.
vCenter server's /var/log/vmware/vpx/vpxd.log:
[timestamp] [[...] error 'HttpConnectionPool-006630'] [ConnectComplete] Connect failed to <cs p:[...], TCP:esxi01.example.com:443>; cnx: (null), error: N7Vmacore3Ssl12SSLExceptionE(SSL Exception: error:140000DB:SSL routines:SSL routines:short read)
The steps in VMware KB: Enabling SSLv3 protocol on vSphere 5.5 (hostd section) work to un-break the connectivity of vCenter to the updated ESXi host, but of course that re-enables the vulnerable SSLv3, which is undesired.
Is there a way to make ESXi 5.5 3248547 work with VCSA 5.5u2d 2442329, with both sides avoiding SSLv3?
Am I correct to assume that updating VCSA to 5.5u3 will change VCSA's SSL version behavior to work without SSLv3?
A new update to the release notes addresses this issue.
To answer my own questions:
-No, you can't make ESXi 5.5u3b work with earlier vCenter Server versions unless you re-enable SSLv3 in ESXi.
-Yes, updating vCenter Server to 5.5u3b will make it work with ESXi 5.5 u3b without SSLv3.
Thanks for posting XavierEstevez
I didn't apply the patch for ESXi 5.5u3b / build 3248547 but only the critical security patch KB2135795 (fixes: Updates OpenSSL to openssl-1.0.1p)
Same issue with vCenter not reconnecting to the ESXi host after remediation/reboot and same error messages in vCenter vpxd.log file.
Enabling SSLv3 (Hostd section) in ESXi config.xml also fixed the issue
Does anyone know if we should take this literally and follow the complete instructions in KB2139396, or just enable it on the host in the first couple of steps?
Workaround: When ESXi is rebooted after remediate process is started, enable SSLv3 on ESXi (which is disabled by default).
This will make sure ESXi gets added to VC inventory automatically in few minutes and Remediation as completed. For more information refer, KB 2139396
I enabled it on the ESXi host, then proceeded with the instructions for everything I could when it made sense. Specifically talking about modifying configuration files on the server. It was part of the instructions in KB 2139396, so I tried to follow it to the letter. After doing it though, I found the client wouldn't connect (server service wouldn't start) at all to anything, and would eventually error out. I reverted the following back to normal and was able to connect both hosts. I also noticed an error in the event log in Windows on vpxd.exe. One host is running the 3248547, and the other is running 3116895. I hesitate to upgrade the 311 to 324.
To enable SSLv3:
I just added <sslOptions>16924672</sslOptions> to the config.xml, saved it, then ran "/etc/init.d/rhttpproxy restart"
Once it was done, I was able to connect again. I checked for updates, and all was current. I'm showing 3248547 on my updated machine only.
For me, that is the solution until I decide to put in vCenter 6. I don't plan on changing this until then.
I have 7 hosts in the cluster - it runs VDI hosting. I only updated the one until I know for sure that everything is ok with it. I don't plan on updating another host until January at the earliest.